Cisco Secure ACS 5.4/Monitoring and Report Viewer - SNMP Settings

Similar Messages

• Customizing the Monitoring and Report Viewer - ACS 5.2

  Is there a way to modify the columns shown in the monitoring and reporting viewer so that I can see all of the relevant columns in one screen, similar to the ACS 4.x view?  I would like to view things at a glance, rather than having to click into each item.  Thank you for your help in advance.

  that's correct. here is what we have in ACS 5.4 for snmp.
  ACS 5.4 supports Simple Network Management Protocol (SNMP) to provide logging services. The SNMP agent provides read-only SNMPv1 and SNMPv2c support. The supported MIBs include:
  •SNMPv2-MIB
  •RFC1213-MIB (MIB II)
  •IF-MIB
  •IP-MIB
  •TCP-MIB
  •UDP-MIB
  •CISCO-CDP-MIB
  •ENTITY-MIB
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/device_support/sdt54.html#wp71020
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Cisco Secure ACS with UCP assistance and enable password

  I am running Cisco Secure ACS version 4.2 running on a
  Standalone Windows 2003 Enterprise 2003with the lastest
  windows service pack and update. Secure ACS is running
  fine and I can authenticate with Cisco routers and
  switches. The Windows 2003 server is also running Microsoft
  IIS Server. In other words, the IIS server and Cisco
  Secure ACS is running on the same windows 2003 server.
  I am trying to get Cisco User-Changeable password to work
  with Cisco Secure ACS. I followed the release notes lines
  by lines and the work around provided below:
  Also server require more privileges for the internal windows user that runs CSusercgi.exe.
  The name of the windows user that runs UCP is IUSR_<machine_name>.
  Workaround steps:
  1) Install UCP 4 on a machine that runs IIS server.
  2) Open IIS manager
  3) Locate Default Web Site
  4) Double click on the virtual name 'securecgi-bin'
  5) Right click on CSusercgi.exe and choose Properties
  6) Choose 'File Security' tab
  7) Choose 'Edit' in 'Authentication and access control' area
  8) Change username from IUSR_<machine_name> to 'Administrator' and enter his
  password (make sure that 'Integrated Windows authentication' is checked)
  I still can NOT get this to work. I got this error:
  It says:
  The page cannot be found
  The page you are looking for might have been removed,
  had its name changed, or is temporarily unavailable.
  HTTP Error 404 - File or directory not found.
  Internet Information Services (IIS)
  I modified everything in the Windows 2003 to be "ALLOWED" by
  EVERYONE. In other words, there are NO security on the windows 2003.
  It is still NOT working.
  The other question I have is that can Cisco UCP allow user
  to change his/her enable password?
  Can someone help? Thanks.

  Yes bastien,
  Thank you.
  But one thing more i want to know that in its Redundant AAA server, when i try to open IIS 6.0 window 2003; it prompts for Username and Password.
  I've given it several time; also going through Administrator account with administrative credentials but it always failed.
  Any suggestions/solution/?
  This time many thanks in advance.
  Regards
  Mehdi Raza

• ASK THE EXPERTS - WAAS MONITORING AND REPORTING

  Welcome to the Cisco Networking  Professionals Ask the Expert conversation. This is an opportunity to learn about Cisco Wide Area Application Services monitoring and reporting with Michael Holloway and Joe Merrill.  Michael is an escalation support engineer in the Application  Delivery Business Unit focusing on escalations to engineering related to  the Cisco Wide Area Application Services (WAAS) product. He has worked  with Cisco WAAS since its initial development, and with the first  product beta.
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Joe Merrill is an escalation support engineer in the Application Delivery Business Unit focusing on escalations to engineering related to the Cisco Wide Area Application Services (WAAS) product. He has worked with Cisco WAAS since its initial development, and with the first product beta.
  Remember to use the rating system to let Michael and Joe know if you have received an adequate response.
  Michael and Joe might not be able to answer each question due to the volume expected   during this event. Our moderators will post many of the unanswered   questions in other discussion forums shortly after the event. This  event  lasts through August 27, 2010. Visit this forum often to view  responses  to your questions and the questions of other community  members.

  Very good questions. Let me try and take them one at a time. Some of the answers you will likely find in the CM GUI help (upper-left corner is the Help button), or in the online documentation. But let's add a little more color and detail.
  1)When we pull bandwidth Optimization report, on Y-Axis the graphs says Effective Capacity .What is Effective Capacity?
  Basically, the "effective increased bandwidth capacity" is telling you how much additional WAN bandwidth you've gained because of the optimization. It will chart somewhere between 1 times and 100 times. Typically it charts all traffic, though you can configure it to chart traffic for specific Applications.
  The CDM online help gives the formulas used to chart the graph:
  Effective WAN Capacity = 1 / (1-% Reduction Excluding Pass-Through)
  % Reduction Excluding Pass-Through = (Original Excluding Pass-Through - Optimized) / (Original Excluding Pass-Through)
  2)what is reduction % excluding and including passthrough
  Looking at the formulas given above might help you understand. The one is a reduction ratio compared to only the original traffic that is optimized. The other is a reduction ratio compared to all original traffic, whether it is optimized or not. So, if you want to know what kind of optimization you are getting for the traffic that you configured to have optimized, look at the "excluding pass-through" numbers. If you want to know the positive effect that optimization is having on your full traffic load, take a look at the "including pass-through" numbers.
  3)What is effectivity capacity including and excluding passthrough ?
  The effective capacity is what kind of throughput you can potentially realize on the WAN -- assuming you would fill it to 100% capacity -- because of the level of optimization you are seeing. The "including" numbers show you the effect of optimization compared to all the traffic passing through the WAE whether it is optimized or not. The "excluding" numbers show the effect of optimization compared only to the traffic that is receiving optimizations.
  4)With the help of which report, we can show the customer that the file download which took 10 mins in first attempt, is downloaded in 10secons in next attempt?
  This one is a little trickier. The reports are much broader than a single connection. They are for all traffic, or for traffic that matches specific defined Applications. You could create a separate Application and matching classifiers for the client and/or server IP addresses and/or ports, run the test, then configure the charts to only show you the data for that Application. By default, statistics for an Application aren’t charted unless you check the "Enable Statistics" box when defining/editing the Application.
  5)How to show that the bandwidth utilization has decreased by which %.
  You want to look at the % reduction numbers you asked about in #2 above.
  6)Which report says that the applications have become this much time faster?
  These questions are normally put forwarded by many customers ? Can you please help me with your expertise answer ?
  This is probably the hardest question to answer.
  "Faster" isn't always easy to define. You are probably talking about user experience rather than statistics found in a network device. What determines that experience? A web page fully populating with all the pictures? A CIFS-based application that saves a file? A custom application that collects data from different servers over different protocols to perform some operation? Much of that is subjective and based on multiple individual requests, sometimes over different protocols.
  What we can provide are statistics to show the effect of WAN optimization and application acceleration for specific types of traffic. We can't show you that displaying a web page is N times faster with WAAS, because we don't know which of all the many HTTP requests that are made are specific to the user experience. But we can show that each of the requests received so much overall optimization, so much optimization from DRE, so much optimization from LZ, so much added benefit from HTTP acceleration.
  What you would probably do is collect some base-line timings for performing certain user activities, then perform the same operations both cold (first pass) and warm (subsequent passes). Back up those timing numbers with reports from the CM GUI, and perhaps even the "show statistics connection connection-id ". Which reports to use? Start with those Optimization and Acceleration reports. Those are the reports we expect will give the most complete/accurate pictures of the benefit of WAAS. You can also create and even schedule custom reports as needed.

• Cisco ACS 5.2 (esx 4 vm) and Monitoring and Reports failure

  I am evaling the Cisco ACS 5.2 Virtual Appliance on ESX4 and everything is working fine except for the "Monitoring and Reports" no matter what browser I try, it just keeps loading new tabs of the welcome screen, in the case of some browser versions it does this and does not stop.
  I have tried the following browsers on Win7 Pro: IE 8, Firefox 4, Firefox 3, Chrome 12.
  I have tried the following browsers on MacOS 10.6: FireFox 4, Safari 5.0.5
  In Safari 5.0.5 it calls up one new window, but doesn't load anything in the right hand frame.
  This is a fresh install, with an eval license. I am rather annoyed that it doesn't work out of the box, especially when there was not documentation that mentioned that anything needed to be setup for this to work after initial install, unless I missed something.
  I installed the VM with the base 5.0.26 ISO and then applied patches 5.0.26-1 through 5.0.26-5.
  Can anyone provide any help on this?

  I am evaling the Cisco ACS 5.2 Virtual Appliance on ESX4 and everything is working fine except for the "Monitoring and Reports" no matter what browser I try, it just keeps loading new tabs of the welcome screen, in the case of some browser versions it does this and does not stop.
  I have tried the following browsers on Win7 Pro: IE 8, Firefox 4, Firefox 3, Chrome 12.
  I have tried the following browsers on MacOS 10.6: FireFox 4, Safari 5.0.5
  In Safari 5.0.5 it calls up one new window, but doesn't load anything in the right hand frame.
  This is a fresh install, with an eval license. I am rather annoyed that it doesn't work out of the box, especially when there was not documentation that mentioned that anything needed to be setup for this to work after initial install, unless I missed something.
  I installed the VM with the base 5.0.26 ISO and then applied patches 5.0.26-1 through 5.0.26-5.
  Can anyone provide any help on this?

• Reporting & Audit Compliance Solutions for Cisco Secure ACS

  The Cisco Secure ACS Access Control Server is probably the worlds best selling remote access security solutions and its quite likely that you're already using it! Wouldn't it be great to know exactly what it was doing? Further still, when you have to provide audit documentation regarding your policies and how effective they are, how long does this take and what valuable data remains locked inside the ACS database and logs?
  extraxi offer a range of products that deliver a complete solution for harvesting, managing and analyzing your ACS/SBR log data to meet the increasing demands for regulatory compliance (SOX, COBIT) and overall enterprise monitoring and security.
  We are proud to supply customers including Intel, Ford, Lego, T-Mobile, US Dept of State, US Army, British Telecom, First Energy, TNT Express, Kodak and JP Morgan and many more so why not take a look at our industry leading solutions and evaluate the benefits for your organization...
  Featured Products:
  * aaa-reports! enterprise edition - Automated Reporting
  The best reporting system for Cisco Secure ACS and Funk SBR just got a whole lot better! Improved reports, enhanced filtering and query builder and now with up to 48GB internal storage based on SQL Server technology makes this the ideal solution for large or complex AAA deployments and those that need the additional functionality from the standard aaa-reports! tool.
  With aaa-reports! enterprise you have a complete application for reporting including many canned reports (each with flexible filtering options) and a point-n-click query builder for designing custom reports.
  For historic trending, forensics and audit compliance there simply is no better reporting application for Cisco Secure ACS or Funk/Juniper SBR.
  * csvsync - Automated ACS Database & Log File Collection
  csvsync allows you to download CSV log data (RADIUS, TACACS+, Passed/Failed Attempts etc) directly from any number of Cisco Secure ACS servers (Windows & Appliance) via http(s). Version 3.0 now supports the collection of ACS database itself for import into aaa-reports and detailed reporting based on the ACS security policies. Simple, secure and efficient, csvsync is the best solution for harvesting log data from your Cisco Secure ACS servers.
  Download fully working 60 day trial versions at http://www.extraxi.com/rq.asp?utm_source=technet&utm_medium=forum
  Fore more information please visit http://www.extraxi.com/?utm_source=technet&utm_medium=forum

  bump

• Monitoring and Reporting on ACS 5.1 not working

  Hello,
  I have not managed to get the Monitoring to work on the ACS 5.1. This is an eval version. Advanced monitoring and reporting is installed on the ACS. This is my configuration on the Cisco Router
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 0 default start-stop group tacacs+
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting connection default start-stop group tacacs+
  logging origin-id ip
  logging facility syslog
  logging source-interface GigabitEthernet1/1
  logging host 1.1.1.1 transport udp port 20514
  logging monitor informational
  epm logging
  On the ACS, when I open the dashboard --> ACS health  -> I get Status not available.
  Global Instance under Logging Categories been configured for local logging
  Thanks

  The view logprocessor is not running
  ACS role: PRIMARY
  Process 'database'                  running
  Process 'management'                running
  Process 'runtime'                   running
  Process 'adclient'                  running
  Process 'view-database'             running
  Process 'view-jobmanager'           running
  Process 'view-alertmanager'         running
  Process 'view-collector'            running
  Process 'view-logprocessor'         not monitored
  Does anyone know how to start it??
  Thanks

• Unauthorized device logging in via Cisco Secure ACS 3.2

  We have the Cisco Secure ACS v 3.2. There is a devices that we recently discovered is not added into the network configuration on the ACS. This device running IOS 12.2(29) does have all of the correct tacacs settings that should allow it to authenticate via Tacacs.
  So basically, the ACS is allowing users to use this device to login, even though it's not in the Network Config.
  When we look at the Logged-in Users report, it show the host name as "Tacacs+ Default". We aren't sure what that is supposed to mean, and why it's allowing it.
  Thank You for your time,
  Andrew

  Andrew,
  Make sure that you not using any Wildcards inplace to IP address in network configuration. Eg using 192.168.*.*
  This will open tacacs request from whole network 192.168
  Also check the passed attempts and check the NAS IP address from the where the request is coming. Search for that IP in network configuration and see if that IP belong to that switch in question. L3 switch can have multiple ip address.
  If that IP belong to that swtich , then you need to take that out from network configuration.
  Regards,
  ~JG
  Do rate helpful posts

• Features of Cisco Secure ACS Appliance

  Hi,
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Normale Tabelle";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  I’m working on an evaluation of NAC systems. Therefore, I’ve chosen the Cisco Secure ACS as representative of a 802.1X based solution.
  There are a few questions I wasn’t able to answer by reading the product information available on Cisco.com. I hope that someone here might be able to help me. Any information is highly appreciated.
  The questions I wasn’t able to answer are:
  •     Can the ACS work in a heterogeneous environment (i.e. Cisco and Alcatel Switches)?
  •     What happens if the server(s) fail?
              o     Can already authorized users still work?
              o     Can known users still be authorized?
              o     Are unknown users still blocked?
  •     Is the ACS capable of authorizing users through routed networks or VPN tunnels?
  •     Does a change of the assigned VLAN work without relogin (or even reboot) of the client?
  •     Is there (besides of the reports) some kind of status overview with the ACS?
  •     Which kinds of Attacks can the ACS (alone) prevent?
              o     Can it prevent MAC Spoofing?
              o     Can it prevent MAC Flooding?
              o     Can it prevent ARP Attacks?
              o     Can it prevent IP Spoofing?
              o     Can it eliminate rouge DHCP servers?
              o     Can it prevent STP Attacks
  •     And the last one: What happens if I plug in an unknown device into an IP-Phone? Is the switchport to       which the IP-Phone is connected blocked or only the unknown device?
  Thanks for all answers.
  Regards,
  taouri

  See inline answers:
  The questions I wasn’t able to answer are:
  •     Can the ACS work in a heterogeneous environment (i.e. Cisco and Alcatel Switches)?
  Yes, as long as those devices support RADIUS and TACACS+ IETF standards.  Some devices require the configuration of vendor-specific AV-pairs to work properly, which the ACS in general can do.  You'll need to get details from the specific vendor on their requirements to insure it'll work.
  •     What happens if the server(s) fail?
              o     Can already authorized users still work?
  This is driven by the AAA client, not the ACS.  In general, if it isn't reauthenticating the users, then yes, they'll still work
              o     Can known users still be authorized?
  In general, no, not by the ACS, but for some cases such as dot1x, it may be possible to configure fallback to local authentication or define a critical VLAN.
              o     Are unknown users still blocked?
  Without contact to the server, the AAA client has no way of knowing what user is known / not known barring the above items.
  •     Is the ACS capable of authorizing users through routed networks or VPN tunnels?
  Yes, as long as the VPN device is capable of sending Radius or TACACS+ requests to the ACS
  •     Does a change of the assigned VLAN work without relogin (or even reboot) of the client?
  Yes, if using a supplicant that detects the EAP success message and knows to refresh the IP.
  •     Is there (besides of the reports) some kind of status overview with the ACS?
  Yes, this is covered in the documentation for the appropriate ACS solution.  Incidentally, the word ACS could mean ACS 4.x, or ACS 5.x, both of which are substantially different.
  •     Which kinds of Attacks can the ACS (alone) prevent?
  ACS authenticates and authorizes users.  It isn't in and of itself a device for prevention of the L2 attacks you list.
              o     Can it prevent MAC Spoofing?
              o     Can it prevent MAC Flooding?
              o     Can it prevent ARP Attacks?
              o     Can it prevent IP Spoofing?
              o     Can it eliminate rouge DHCP servers?
              o     Can it prevent STP Attacks
  •     And the last one: What happens if I plug in an unknown device into an IP-Phone? Is the switchport to       which the IP-Phone is connected blocked or only the unknown device?
  This depends on how you configure the dot1x parameters on the port.  In general, this is often configured in single-host mode with a voice vlan for the phone.  The phone passes through the EAPoL traffic the client passes, and in single host mode we rely on CDP bypass for the phone itself to bypass authentication.  There are excellent documents for the various dot1x configuration options in our IBNS (identity-Based Network Solutions) section here:
  http://www.cisco.com/en/US/customer/products/ps6638/products_ios_protocol_group_home.html

• With Cisco Secure ACS For Windows TACACS+, authentication fails with AD

    I am setting up a Cisco Secure ACS 4.2 server to act as a TACACS server for Switches and Routers  I am using Windows 2003 server for the ACS,
  and a Windows 2003 Active Directory server.  The AD server is fine, as it is used for many other things.
  I have set up ACS as defined nit he installation guide, including all the steps in the 'Member Server' section of the install guide
  when using AD as an external database (i.e. setting up the services to run with a domain admin account, setting up a machine called 'CISCO'
  on the domain etc).
  I've set the unknown user policy to use the Windows database if the internal database doesn;t contain the user details.
  If I add a user to the internal database, the authentication goes through fine, with an entry in the 'Passed Authentications' log,
  02/24/2010,05:07:03,Authen failed,eXXXX,Network Administrators(NDG) ,X.X.X.X,(Default),Internal error,,(geting error message as INternal Error)
  I've scoured google etc, and just cannot come up with any reason why this should be happening.
    I've followed all the install guides to the letter.  I need to get this up and running as soon as possible,
  so am looking forward to finding out if anyone can help me with this one!
  THanks and regards
  Sharan

  Hi  Jesse,
  Thasts a great answer and Soution.
  My previous version was 4.2 and it was installed on 64 bit machine hence getting internal Error.
  After this answer i have upgraded it to ACS4.2.1 and its started working fine
  Thanks very much for the help
  Dipu

• Setting privileges in Cisco Secure ACS Version 5.1.0.44

  I am setting privileges in Cisco Secure ACS Version 5.1.0.44.
  In the command sets from the ACS server, I denied few commands as can be seen in the attached screenshot and selected 'Permit any command that is not in the table below'.
  I am unable to see some commands like "Show running-configuration" from the router I was testing. What changes should I do to see all the commands other than the denied commands. Your help will be rated. Thank you.

  Hi,
  The ACS is able to handle permit or deny commands.
  I created a configuration example that will help you to understand command shell.(see attach doc)
  Instead of using show running-config please use show config.
  also make sure that all the users are using privilege 15.
  Regards,

• Upgrade path for Cisco Secure ACS 4.X Solution Engine 1113 Appliance.

  Hello,
  I am having Cisco Secure ACS 4.X Solution Engine 1113 Appliance, and is running on version Cisco Secure ACS Release 4.1(1) Build 23 and now want to upgarde it to the latest version. Need to know the upgrade path for the same. As per my information ACS 4.1(1) runs on windows server and releases post to 5.X uses Linux. Please guide how can i upgrade Appliance 1113 from 4.1 to 5.x

  Hi,
  Cisco ACS 1113 appliance doesn't support ACS 5.x version. 1113 appliance supports till ACS 4.2.1 version.
  Cisco ACS SE 1120/1121 appliance models are required for ACS 5.x
  The upgrade path for ACS 4.1 to 4.2.1 version can be found in the following link :
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2.1/Installation_Guide/solution_engine/upgap.html#wp1237189
  Regards,
  Karthik Chandran
  *kindly rate helpful post*

• Cisco Secure ACS

  Hi all,
  With the Base license, a Cisco Secure ACS 5.6 appliance or software virtual machine can support the deployment of up to 500 network access devices (NADs) such as routers and switches. These are not authentication, authorization, and accounting (AAA) clients. The number of network devices is based on the number of unique IP addresses that are configured.
  So, when i have 1 firewall for vpn gateway, and using acs as an aaa server, how much network access device which is counted ? 1 or as many as vpn client connected to the firewall ?
  500 network access device means concurrent connection or not ?

  ACS is based on the number of NADs (Network Access Devices) like switches, routers, ASAs, etc. So in your example, your Firewall will consume 1 license regardless of the total number of VPN sessions. 
  With ISE, the licenses are based on the total number of endpoints. So in your example, each VPN session will take a license. 
  I hope this helps!
  Thank you for rating helpful posts!

• Patch rollup for Cisco Secure ACS 4.2 fails.

  I've got 2 freshly installed ACS 4.2 for Windows servers and I need to apply the latest patch rollup before I build the configurations.  I stopped the ACS services and ran Acs-4.2.0.124.15-SW.exe to install the patches.  The application begins running fine but fails on upgrading the database and then none of the ACS services would start.  I was able to restore the files from the backup that runs with the patch utility and get ACS functioning again.  What am I missing - does the patch rollup require any specific Microsoft Patches to be installed or something like that?
  Thanks

  Thanks for the feedback.  I attempted the patch rollup install again and it failed in the same place - on the database upgrade.  I did think of one thing.  Do I need to have my antivirus/protection services disabled prior to installing the rollup?
  Also my versions are as follows:
  Server OS - Windows Server 2003 R2
  Cisco Secure ACS - 4.2.(0) Build 124
  Thanks,
  Richard Jaehne

• With Cisco Secure ACS 4.2 User accounts gets locked at first instance of wrong credentials even if configured for 3 attempts

  Hello Everybody,
  I am working with Cisco Secure ACS 4.2 and it is integrated with Active Directory at a Windows 2008 R2 functional level, user accounts that are set with lockout parameters (3 incorrect attempts) are locked out prematurely after the user enters the wrong credentials just once, the integration is done via LDAP.
  I wonder if anybody has any idea why this is happening, because when I connect to a Cisco device or VPN, and type my password wrongly, on the Active Directory I get extra bad password counts.
  Thanks in advance and regards....

  Hello Scott,
  Thanks for your answer. However we checked the ACS logs and it shows that we entered bad credentials just once, but in the Active Directory our account sometimes is blocked because we get at least 2 and sometimes 3 failures. This problem is only presented when we authenticate Cisco devices or through VPN, in normal circumstances, when users enter bad credentials on their computers, it works fine.
  Thanks and regards...